McAfee Labs

iBots? Mobile phone network 0wnage

By on Oct 28, 2010

Some of the most interesting research on mobile botnets is being done in the lab.  Security researchers Collin Mulliner and Jean Pierre Seifert have put together a robust Proof-of-Concept (PoC) iPhone botnet.

Their research was presented at the 5th International Conference on Malicious and Unwanted Software (MALWARE 2010) last week.  In a presentation titled “Rise of the iBots: 0wning a telco network”, Mulliner/Seifert look into various methods of establishing command and control (C&C) of a botnet over a mobile telephone company’s network.  Very timely, I added an overview of the research to my talk on Saturday at Toorcon.

The researchers didn’t implement any spreading functionality so that there was no risk of the botnet escaping the lab. They instead concentrated on seeing which communication methods were best for maintaining a distributed computing network (like a botnet); SMS, http, or P2P.  Unlike general PC security researchers, these two have experience in the challenges and issues involved in developing for low powered, limited CPU/RAM devices with inconsistent network connectivity(EDGE, 3G, WiFi, etc.).

The SMS method, using text messages to send commands to the bots, is commonly used by other mobile spyware and botnets.  The more advanced malware will also intercept and delete any command SMS messages, so that the user never suspects that they’re infected.  Mulliner has previous experience with SMS interception, having presented his research on the topic at the Black Hat USA security conference in 2009.

Instead of using straightforward text-based SMS messages like with other mobile malware, they use binary mode SMS. These are not system SMS messages or “flash” SMS messages that don’t leave a trail in the inbox.  They’re just SMS messages with about 140 bytes.  Sending in binary lets them encode commands in less space and also helps to make the C&C messages harder to detect.  They also determined that in addition to SMS, using a combination of P2P and http protocols could increase the robustness of the botnet.

There’s a joke amongst malware researchers that sometimes it feels like we’re doing QA for the malware authors; calling them out on their bad code.  Malware authors aren’t generally known for following secure development or software testing processes.  Occasionally it takes a professional developer/researcher to do it right.  Mulliner’s research from Black Hat involved fuzzing SMS handlers, so it was amusing to see that they actually fuzzed their botnet’s SMS command handling code.  I guess when you’re getting ready to take over your telephone company’s network, you can’t have your botnet fail just because it gets a malformed command SMS.

Since they used binary SMS messages, the botnet commands aren’t as easy to decode as a plain text protocol.  The table below shows the breakdown of a command SMS.  Mulliner/Seifert were careful in designing their communication protocol to insure that it was safe from replay attacks(responding only to packets with sequence numbers greater than the last command) or hijacking through command emulation(encrypting and digitally signing command messages).

Breakdown of ibot command packet

Fig 1 - Binary command SMS messages are broken down into a few parts. Each command SMS is digitally signed to prevent hijacking of the botnet. The sequence number helps to prevent a replay attack. All packets can also be optionally encrypted to further evade detection.

Below is a breakdown of the commands they implemented:

List of ibot botnet client commands

Fig 2 - A human-readable list of the binary commands used in the botnet. Running a command can be used to DDOS a website.

After seeing an attempt at a stable, fault resistant, mobile botnet, one might wonder how to protect against such a threat.  On that note, we may actually be better off taking a page from Mulliner and Seifert’s presentation:

“Mobile telcos need to think about monitoring and fighting SMS-based botnets”.

This works for threats on the network. On the individual level there are still a few ways to shut the door on attackers:

  • Install the latest official OS/firmware patches for your smartphone
  • Avoid pirated software or software from untrusted sources

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>